Comments for Ugens udflugt... http://kilimanjaro.dk/blog Security and running advisor for the internet Mon, 07 Feb 2011 20:26:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Day 5: The most popular vulnerabilities by Jens Jakob http://kilimanjaro.dk/blog/?p=346&cpage=1#comment-2893 Jens Jakob Mon, 07 Feb 2011 20:26:31 +0000 http://kilimanjaro.dk/blog/?p=346#comment-2893 Congrats, seems to be that Jysk has reacted FAST and closed the hole. 1-0 for the securitycampaign Congrats, seems to be that Jysk has reacted FAST and closed the hole. 1-0 for the securitycampaign

]]> Comment on Day 6: Why can’t you fix an XSS in less than a week? by paranoid http://kilimanjaro.dk/blog/?p=376&cpage=1#comment-2892 paranoid Mon, 07 Feb 2011 06:10:02 +0000 http://kilimanjaro.dk/blog/?p=376#comment-2892 It's a similar message I have got from a few start-ups. It reinforces my opinion that the internet would be a better place if some of these problems had been solved in the languages/frameworks a long time ago. It’s a similar message I have got from a few start-ups. It reinforces my opinion that the internet would be a better place if some of these problems had been solved in the languages/frameworks a long time ago.

]]> Comment on Day 6: Why can’t you fix an XSS in less than a week? by Tweets that mention Day 6: Why can’t you fix an XSS in less than a week? « Ugens udflugt… -- Topsy.com http://kilimanjaro.dk/blog/?p=376&cpage=1#comment-2891 Tweets that mention Day 6: Why can’t you fix an XSS in less than a week? « Ugens udflugt… -- Topsy.com Mon, 07 Feb 2011 06:03:03 +0000 http://kilimanjaro.dk/blog/?p=376#comment-2891 [...] This post was mentioned on Twitter by Philip Tellis, ptr. ptr said: Day 6: Why can't you fix an XSS in less than a week? http://tinyurl.com/66ljbho #security [...] [...] This post was mentioned on Twitter by Philip Tellis, ptr. ptr said: Day 6: Why can't you fix an XSS in less than a week? http://tinyurl.com/66ljbho #security [...]

]]> Comment on Day 6: Why can’t you fix an XSS in less than a week? by Philip Tellis http://kilimanjaro.dk/blog/?p=376&cpage=1#comment-2890 Philip Tellis Mon, 07 Feb 2011 05:53:13 +0000 http://kilimanjaro.dk/blog/?p=376#comment-2890 A friend of mine who does contract work with some .dk sites tells me that they don't have much interest in security. Whenever he's brought up the issue, the response he gets is something to the effect of: "why would anyone do that? it's not nice. people are good and don't do bad things." A friend of mine who does contract work with some .dk sites tells me that they don’t have much interest in security. Whenever he’s brought up the issue, the response he gets is something to the effect of: “why would anyone do that? it’s not nice. people are good and don’t do bad things.”

]]> Comment on Day 4 and the first success by Day 6: Why can’t you fix this in less than a week? « Ugens udflugt… http://kilimanjaro.dk/blog/?p=343&cpage=1#comment-2889 Day 6: Why can’t you fix this in less than a week? « Ugens udflugt… Mon, 07 Feb 2011 05:35:35 +0000 http://kilimanjaro.dk/blog/?p=343#comment-2889 [...] Day 4 and the first success I wrote about how Yubico.com responded and fixed the vulnerability I found in their web site. I [...] [...] Day 4 and the first success I wrote about how Yubico.com responded and fixed the vulnerability I found in their web site. I [...]

]]> Comment on Obligations by paranoid http://kilimanjaro.dk/blog/?p=335&cpage=1#comment-2886 paranoid Sun, 06 Feb 2011 20:19:18 +0000 http://kilimanjaro.dk/blog/?p=335#comment-2886 XSS is an attack against the browser which allows code to be run in the context of the domain with the vulnerability. So you could say the site is not directly at risk. But isn't it bad enough that the domain you have spent time and resources to build into something people trust is now being abused for something that is in contrast to what your domain stands for? Or how about sessions being hijacked for your logged in users? I would say that is an attack against the site and it's credibility. Remember the competing web site is just a link away. That makes it all the more surprising that site owners don't respond to an email stating there is a problem with their site. It seems like the majority of the cases requires something like a full disclosure and the following bad PR to get a security hole fixed. I don't think we gain anything by not disclosing vulnerabilities because then site owners probably will never fix anything. Without a fix an exploit may go undetected for a long time. The solution is for site owners to step up to their obligations XSS is an attack against the browser which allows code to be run in the context of the domain with the vulnerability. So you could say the site is not directly at risk. But isn’t it bad enough that the domain you have spent time and resources to build into something people trust is now being abused for something that is in contrast to what your domain stands for? Or how about sessions being hijacked for your logged in users? I would say that is an attack against the site and it’s credibility. Remember the competing web site is just a link away.

That makes it all the more surprising that site owners don’t respond to an email stating there is a problem with their site. It seems like the majority of the cases requires something like a full disclosure and the following bad PR to get a security hole fixed.

I don’t think we gain anything by not disclosing vulnerabilities because then site owners probably will never fix anything. Without a fix an exploit may go undetected for a long time.

The solution is for site owners to step up to their obligations

]]> Comment on Day 5: The most popular vulnerabilities by Tweets that mention Day 5: The most popular vulnerabilities « Ugens udflugt… -- Topsy.com http://kilimanjaro.dk/blog/?p=346&cpage=1#comment-2885 Tweets that mention Day 5: The most popular vulnerabilities « Ugens udflugt… -- Topsy.com Sun, 06 Feb 2011 17:07:55 +0000 http://kilimanjaro.dk/blog/?p=346#comment-2885 [...] This post was mentioned on Twitter by ptr, Cigana Johnny. Cigana Johnny said: Day 5: The most popular vulnerabilities « Ugens udflugt…: Day 5: The most popular vulnerabilities. Vulnerability... http://bit.ly/f4EPdQ [...] [...] This post was mentioned on Twitter by ptr, Cigana Johnny. Cigana Johnny said: Day 5: The most popular vulnerabilities « Ugens udflugt…: Day 5: The most popular vulnerabilities. Vulnerability… http://bit.ly/f4EPdQ [...]

]]> Comment on Obligations by Jens Jakob Andersen http://kilimanjaro.dk/blog/?p=335&cpage=1#comment-2883 Jens Jakob Andersen Sun, 06 Feb 2011 14:37:07 +0000 http://kilimanjaro.dk/blog/?p=335#comment-2883 You have a very good point about disclosure. With the nature of the XSS, it is an open door, making it possible for any bad guy to piggyback on a trusted sitename, and use it for injecting bad code info the users part of the transaction, without ever touching the "XSS providing site". So quite often it does not neccesary provide a direct threat for the site "hosting" the XSS itself. Which could lead to the argument, that disclosure of XSS should be mandatory, in order to protect the users of the web. The flipside to this, is that some siteowners might believe that the disclosure of a XSS related to their site is bad PR. So at the same time it is very important to give the siteowners the chance to rectify the XSS vulnerability first, and kudos to those who react FAST. You have a very good point about disclosure.

With the nature of the XSS, it is an open door, making it possible for any bad guy to piggyback on a trusted sitename, and use it for injecting bad code info the users part of the transaction, without ever touching the “XSS providing site”.

So quite often it does not neccesary provide a direct threat for the site “hosting” the XSS itself.

Which could lead to the argument, that disclosure of XSS should be mandatory, in order to protect the users of the web.

The flipside to this, is that some siteowners might believe that the disclosure of a XSS related to their site is bad PR.

So at the same time it is very important to give the siteowners the chance to rectify the XSS vulnerability first, and kudos to those who react FAST.

]]> Comment on Status after about 100 security notifications by Cross-site scripting awareness month « Ugens udflugt… http://kilimanjaro.dk/blog/?p=277&cpage=1#comment-2874 Cross-site scripting awareness month « Ugens udflugt… Wed, 02 Feb 2011 07:17:34 +0000 http://kilimanjaro.dk/blog/?p=277#comment-2874 [...] Or perhaps the personal handling incoming email doesn't know where to route it. The example from Status after 100 notifications where a professional web developer, founder and CTO insists that you can only attack yourself with [...] [...] Or perhaps the personal handling incoming email doesn't know where to route it. The example from Status after 100 notifications where a professional web developer, founder and CTO insists that you can only attack yourself with [...]

]]> Comment on Status after about 100 security notifications by Is something rotten on .dk? « Ugens udflugt… http://kilimanjaro.dk/blog/?p=277&cpage=1#comment-2848 Is something rotten on .dk? « Ugens udflugt… Sun, 23 Jan 2011 20:41:44 +0000 http://kilimanjaro.dk/blog/?p=277#comment-2848 [...] says politicians has to take the cyber threat serious. This in combination with my recent blog: Status after about 100 security notifications has inspired me to summarize my recent web security research. We can call it: "Let's see what lies [...] [...] says politicians has to take the cyber threat serious. This in combination with my recent blog: Status after about 100 security notifications has inspired me to summarize my recent web security research. We can call it: "Let's see what lies [...]

]]>